Panda Banker Zeros in on Japanese Targets

Based on our data and analysis this is the first time that we have seen Panda Banker injects targeting Japanese organizations.

It is likely a new campaign or actor started using Panda Banker since in addition to the previously unseen Japanese targeting, Arbor has not seen any indicator of compromise (IOC) overlaps with previous Panda Banker campaigns.

The sample used in this campaign was the first sample we observed in the wild to use the newest version of Panda Banker, version 2.6.6.

Overview

Panda Banker is based on the Zeus malware family. One of its main functions is stealing user credentials, account numbers, and ultimately money from financial institutions. It does this by using a technique known as “man in the browser” along with “webinjects” that specify what websites to target and how.

This banking malware was first seen in the wild in the beginning of 2016 (version 2.1.x) and has had consistent, incremental development since then. While some details have changed, our “Who Let the Pandas Out? Zeus, Zeus, Zeus, Zeus” blog post is still a good introduction to the technical details of the malware.

Panda Banker is sold as a kit on underground forums so there are multiple users of the malware. Cybercrime threat actors tend to focus their campaigns on particular countries—usually dependent on their ability to convert stolen credentials and account details from those locations into real money. Over the years we’ve seen Panda Banker campaigns focus on financial institutions in: Italy, Canada, Australia, Germany, United States, United Kingdom, and now Japan.

Campaign Analysis

A new version of Panda Banker, version 2.6.6, was observed being distributed in the wild on March 26th:

While we didn’t see any significant changes to the malware itself (possibly just a “bug fix” release), the campaign using this sample stood out for two reasons:

No IOC overlap with any previous Panda Banker campaigns that we’ve seen.

Webinjects targeting Japan, a country we haven’t seen targeted by Panda Banker before.

Command & Control (C2)

The C2 servers configured for this sample are listed below:

https://hillaryzell[.]xyz/1wekenauhivwauvaxquor.dat

https://buscamapa1[.]top/2yrfuupcovylaawubitvy.dat

https://buscamapa2[.]top/3toaxkatoindyepidikuv.dat

https://buscamapa3[.]top/4heequktuepahvoyfofit.dat

https://buscamapa4[.]top/5ufyfegtuobekpykobeul.dat

https://buscamapa5[.]top/6lubanuoxapywinlaokow.dat

At the time of research, only hillaryzell[.]xyz was operational and it was registered to a “Petrov Vadim” using an email address of “yalapinziw@mail.ru”.

Campaign Name

The threat actor named this campaign “ank”.

Webinjects

At the time of research, the C2 server returned 27 webinjects that can be broken down into the following categories:

17 Japanese banking web sites mostly focusing on credit cards

1 US based web email site

1 US based video search engine

4 US based search engines

1 US based online shopping site

2 US based social media sites

1 US based adult content hub

An example, redacted webinject for this campaign looks like the following:

Example webinject targeting Japan.

The webinjects in this campaign make use of a “grabber” / automated transfer system (ATS) system known as “Full Info Grabber” to capture credentials and account information. As can be seen in figures above, the threat actor is using a path of “jpccgrab” possibly meaning “Japanese credit card grabber”. Given the targeting, this name makes some sense.

Distribution (update March 28, 2018)

Security researcher kafeine has released more details on how this threat is being distributed in the wild: a malicious advertisement (malvertising) is redirecting victims to a RIG exploit kit which is distributing the Panda Banker malware.

Conclusion

Japan is no stranger to banking malware. Based on recent reports, the country has been plagued by attacks using the Ursnif and Urlzone banking malware. This post was our first analysis of the first Panda Banker campaign that we’ve seen to target financial institutions in Japan.

Subscribe to this blog

First Name*

Last Name*

Company*

Email*

Name

This field is for validation purposes and should be left unchanged.

Asert

Arbor’s Security Engineering & Response Team (ASERT) delivers world-class network security research and analysis for the benefit of today’s enterprise and network operators. ASERT engineers and researchers are part of an elite group of institutions that are referred to as ‘super remediators’ and represent the best in information security. ASERT has both visibility and remediation capabilities at nearly every tier one operator and a majority of service provider networks globally.

ASERT shares operationally viable intelligence with hundreds of international Computer Emergency Response Teams (CERTs) and with thousands of network operators via in-band security content feeds. ASERT also operates the world’s largest distributed honeynet, actively monitoring Internet threats around the clock and around the globe.

Arbor Networks has collaborated with Jigsaw (formerly Google Ideas) to create a data visualization that shows how Distributed Denial of Service (DDoS) attacks have become a global problem. The data is updated daily from Arbor’s global network of sensors and can be viewed at www.digitalattackmap.com